BKHTCMIS.RVW 20080219 "How to Cheat at Managing Information Security", Mark Osborne, 2006, 1-59749-110-1, U$39.95/C$51.95 %A Mark Osborne www.interoute.com %C 800 Hingham Street, Rockland, MA 02370 %D 2006 %G 1-59749-110-1 %I Syngress Media, Inc. %O U$39.95/C$51.95 781-681-5151 www.syngress.com amy@syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597491101/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597491101/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597491101/robsladesin03-20 %O Audience i Tech 2 Writing 2 (see revfaq.htm for explanation) %P 315 p. %T "How to Cheat at Managing Information Security" The introduction states that this book is intended to cover the basic concepts of information security, and fundamental information about the tools involved. Chapter one discusses where the security function should be placed in organizational structures. What is a policy is, and isn't, as well as what it does and does not do, is reviewed in chapter two. Some basic terms and concepts are described in chapter three, although the level of the material varies quite a bit. Chapter four looks at some UK and US laws related to information security. Terse (but, within limits, realistic) comments on some of the major and popular security frameworks are provided in chapter five. Chapter six is a set of anecdotes from some really bad job interviews. Osborne uses a lot of anecdotes, at least one at the beginning of every chapter. The stories are amusing, but really don't serve to support or cement any of the security points under discussion. Chapter seven outlines some security aspects of network topology. The advice is decent, but there are too many diagrams that are poorly explained. Firewall concepts are presented in chapter eight, but largely from a vendor perspective. Chapter nine takes a much more realistic look at intrusion detection systems than is usually the case, noting that the devices are not a panacea for security overall and require a number of factors that are seldom noted in the general literature. More details of implementing the technology are given in chapter ten. Chapter eleven, I am delighted to see, addresses the difficulty in defining the term "intrusion prevention system," and then goes on to list the variety of technologies that may exist under that banner. The practicalities and problems of penetration testing are examined in chapter twelve. Some application security issues are briefly described in chapter thirteen. While not a complete guide to information security, this book does provide a solid starting point, and useful tips that are often missed in a number of the works that have been thrown on the security bandwagon. I would not have a problem in recommending it to those who are in the initial stages of securing their own networks, as long as they have a basic knowledge of system administration. copyright Robert M. Slade, 2008 BKHTCMIS.RVW 20080219